Learning Library

← Back to Library

Unified Risk Operations Center Strategy

7m • Unknown Channel • security • tutorial • intermediate • Watch on YouTube ↗

Key Points

Cyber criminals exploit the fragmented, siloed nature of traditional risk functions—anti‑fraud, AML, SOC, insider‑threat, etc.—which leads to duplicated tools, data, and processes and creates gaps they can abuse.
A realistic attack (phishing → credential theft → SIM‑swap → crypto laundering) demonstrates how no single department has full visibility, causing each to misinterpret the incident and respond inadequately.
Building a Unified Risk Operations Center (UROC) consolidates data from every source and format across the organization, breaking down silos and providing a single pane of glass for risk insight.
The UROC relies on machine‑learning‑driven risk profiling and standardized, automated workflows that translate disparate data into consistent, actionable alerts.
By unifying data, analytics, and response processes, the organization can detect attacks that would have gone unnoticed, close exploitation gaps, and respond more quickly and accurately to threats.

Sections

00:00:00 Unified Risk Operations Center Strategy - The speaker argues that fragmented anti‑fraud, AML, and security teams create exploitable gaps, and proposes a machine‑learning‑driven, open‑platform unified risk operations center to detect and prevent attacks like phishing and SIM‑swap fraud.

Full Transcript

# Unified Risk Operations Center Strategy **Source:** [https://www.youtube.com/watch?v=bOPhZiW0-Rs](https://www.youtube.com/watch?v=bOPhZiW0-Rs) **Duration:** 00:07:59 ## Summary - Cyber criminals exploit the fragmented, siloed nature of traditional risk functions—anti‑fraud, AML, SOC, insider‑threat, etc.—which leads to duplicated tools, data, and processes and creates gaps they can abuse. - A realistic attack (phishing → credential theft → SIM‑swap → crypto laundering) demonstrates how no single department has full visibility, causing each to misinterpret the incident and respond inadequately. - Building a Unified Risk Operations Center (UROC) consolidates data from every source and format across the organization, breaking down silos and providing a single pane of glass for risk insight. - The UROC relies on machine‑learning‑driven risk profiling and standardized, automated workflows that translate disparate data into consistent, actionable alerts. - By unifying data, analytics, and response processes, the organization can detect attacks that would have gone unnoticed, close exploitation gaps, and respond more quickly and accurately to threats. ## Sections - [00:00:00](https://www.youtube.com/watch?v=bOPhZiW0-Rs&t=0s) **Unified Risk Operations Center Strategy** - The speaker argues that fragmented anti‑fraud, AML, and security teams create exploitable gaps, and proposes a machine‑learning‑driven, open‑platform unified risk operations center to detect and prevent attacks like phishing and SIM‑swap fraud. ## Full Transcript

0:00cyber criminals are becoming 0:01increasingly aggressive and they're 0:03counting on your organization to have a 0:05fractured response to their bad behavior 0:08but you can take back the upper hand by 0:10developing a new unified risk operations 0:12center strategy 0:14this strategy uses machine learning and 0:16open platforms to enable you to detect 0:19attacks that previously would have gone 0:21unnoticed 0:23so the problem with what we're doing 0:25today is risk management is really being 0:27built in silos we have a department for 0:30anti-fraud we'll have a different 0:32department for anti-money laundering 0:34we've got the security operations center 0:36corporate security insider threat and 0:38the the issue is that all of these 0:40different groups are duplicating their 0:42effort they have duplicate data tools 0:45and tactics and duplicate processes 0:48and ultimately this results in gaps and 0:50inconsistencies that cyber criminals 0:52really love to exploit 0:54so let's take a little look at an 0:56example scenario today we're going to 0:58have our attacker who's going after our 1:01unsuspecting victim jim 1:03so our attacker is going to send jim an 1:05email a phishing email which contains 1:07malware 1:09so jim's a nice guy he's not expecting 1:11to be phished today he opens that email 1:13which results in his banking credentials 1:15being sent to our attacker 1:18our attacker then uses these credentials 1:20to log into jim's bank account but jim 1:23was smart jim set up second factor 1:25authentication 1:26unfortunately our attacker is pretty 1:28crafty and steals jim's mobile number by 1:31performing an illegitimate sim swap 1:34so now he's able to approve the second 1:36factor authentication challenge which 1:38gives him full access to jim's bank 1:40account 1:42with this access he then buys 500 000 1:44worth of cryptocurrency which he then 1:47transfers to different mule accounts 1:49uses a crypto laundering service to make 1:52this unable to be traced back to him 1:55so we can have a think about how our 1:56different departments might detect and 1:58respond to this today 2:00our security operations center might say 2:02that this is actually just legitimate 2:04behavior there's nothing suspicious 2:06here our anti-fraud department might say 2:10that this looks like a case of 2:11compromised credentials 2:13and our anti-money laundering department 2:16might actually say that jim was the one 2:17who was laundering money 2:20so the point is all these different 2:21departments don't have full visibility 2:23into what took place which means that 2:25none of them can respond accurately and 2:28timely to the incident 2:31so how are we going to bring power back 2:32to the organization 2:34well we can bridge the gap by building a 2:36unified risk operation center strategy 2:39so this strategy uses uh makes use of a 2:43couple of core principles so one being 2:45using data wherever it lives in whatever 2:48format from across the organization 2:50consolidating that data to make it 2:51accessible 2:53we also use machine learning and risk 2:55profiling at the core 2:57and we build consistent workflows on top 2:59of this data and the machine learning 3:01insights that we get so that everything 3:03is handled consistently across the 3:05organization 3:06and finally this is a consumable service 3:09so that other parts of the business 3:10other applications and services are able 3:13to use the insights that we're getting 3:14out of our risk analytics 3:18okay so how do we get there this is an 3:20iterative journey it doesn't happen 3:21overnight what we do is we pick some use 3:24cases and we build on them each time 3:26proving value to the organization of 3:28doing so 3:29so to start with here we're going to 3:31start by integrating our anti-fraud and 3:34our anti-money laundering departments 3:36so at this point we've got a small swarm 3:38team which has got a couple of people 3:40from the different groups 3:42we're starting to do joint strategy and 3:44operations planning between these groups 3:46and we're also rationalizing the tools 3:48and controls between them 3:51so what can we detect now well our 3:53anti-money laundering department might 3:55have noticed that this money went to a 3:56crypto laundering service 3:58and our anti-fraud department might have 4:00noticed that you know this transaction 4:02took place at an unusual time of day 4:06so from here we can start to remediate 4:08we can start to take action on these 4:10insights so we could automatically block 4:13future access to this account 4:15and we can automatically notify the 4:17authorities so that we're preventing 4:18future losses to the business 4:21okay so our next step is then to scale 4:23up so now we're going to pull in 4:25information from our security operations 4:27center and our corporate security groups 4:31so now our swarm team is getting bigger 4:33we're including people from these new 4:35departments we're also further 4:37rationalizing the tools and controls so 4:39we're reducing that duplicate 4:41set of tools in the organization 4:44and at this phase of maturity you're 4:45really starting to make these insights 4:47consumable so other parts of the 4:48business can use the the rich insights 4:51that we're building here 4:53okay so what are we going to be able to 4:55detect now well the sock might be able 4:57to tell us that our organization is 4:59being targeted at the moment by a 5:01phishing campaign 5:03we might also know that jim had malware 5:05on his device at the time of compromise 5:08and we can start to pull in information 5:10from other third parties so the telco 5:12might be able to tell us that you know 5:14the sim swap that took place was 5:16actually illegitimate or in fact we 5:19could look up information about recent 5:20activity on jim's account 5:23so now what can we do with this 5:24information well we can see how the 5:26attacker got access in the first place 5:28which means we can start to remediate 5:30and ensure that this type of attack 5:32doesn't take place again in the future 5:35okay so now we want to do our final 5:37iteration we want our fully fledged 5:38unified risk operations center 5:41and so what we're going to do is we're 5:42going to make sure that all of the 5:44departments in our organization are 5:46integrated into this platform so we're 5:48pulling data from wherever it lives in 5:50the organization 5:52and what if whatever format it lives in 5:55we are able to do to consolidate this 5:57data so that we can do machine learning 5:59on top of it and we're getting those 6:00risk insights associated with all 6:02different types of entities throughout 6:04the environment we also have 6:06well-defined workflows so we can 6:08automatically deal with known threats 6:10and we have a really well-structured way 6:12for dealing with unknown threats 6:15and of course as i mentioned before this 6:16is all consumable so other parts of the 6:18business can use this information 6:21okay so now what can we detect at this 6:23final phase well all the pieces of the 6:25puzzle are starting to come together we 6:28might be able to see things like this 6:29device that was used to authenticate 6:33the attacker was actually a new device 6:35which in itself isn't an indicator of 6:37fraud but it does increase the 6:39suspiciousness of this particular 6:41incident 6:43we can also correlate this with other 6:44information from consortium data for 6:46example and we could say okay well we've 6:49actually seen this device be used for 6:51fraud in the past 6:54we can do machine learning on different 6:56parts of our environment so we could do 6:57machine learning on jim's usual 6:59transaction so the transaction value and 7:02the transaction type which would flag 7:04this particular transaction as an 7:06anomaly 7:07and ultimately what we're doing is we're 7:09pulling all these little pieces of risk 7:11information together to be able to 7:13inform real-time decisions so in this 7:16case we can prevent this transaction 7:18from ever actually having taken place 7:20anyway 7:23okay so we know that our existing 7:25mechanisms of building risk management 7:27around specific silos isn't sustainable 7:30we need to bring together the data the 7:32tools and the people in order to be able 7:35to effectively manage risk 7:37consider your risk management 7:39modernization journey and have a think 7:41about how unified risk operation center 7:43strategy could help you manage risk now 7:46and into the future 7:48thank you if you like this video and 7:50want to see more like it please like and 7:53subscribe 7:54if you have questions please drop them 7:56in the comments below